[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3a822c60.6ae8.189918ebd0a.Coremail.18500469033@163.com>
Date: Wed, 26 Jul 2023 17:36:38 +0800 (CST)
From: "Dingyan Li" <18500469033@....com>
To: "Oliver Neukum" <oneukum@...e.com>
Cc: "Greg KH" <gregkh@...uxfoundation.org>, stern@...land.harvard.edu,
sebastian.reichel@...labora.com, linux-usb@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re:Re: [PATCH] USB: add usbfs ioctl to get specific superspeedplus
rates
At 2023-07-26 16:33:22, "Oliver Neukum" <oneukum@...e.com> wrote:
>On 25.07.23 18:11, Dingyan Li wrote:
>
>> In proc_conninfo_ex(), the number of returned bytes is determined by
>> the smaller number between sizeof(struct usbdevfs_conninfo_ex) and a
>> user specified size. So if we only append new members to the end of
>> struct usbdevfs_conninfo_ex, it won't impact the bytes in the beginning.
>
>You have just caused memory corruption in user space by overwriting what
>was right behind the buffer of the agreed upon size. Or, not much better,
>caused a segmentation fault.
>
> Regards
> Oliver
How come?
The actual returned bytes must be smaller than or equal to user specified size.
You can check https://elixir.bootlin.com/linux/v6.5-rc3/source/drivers/usb/core/devio.c#L1493
Regards,
Dingyan
Powered by blists - more mailing lists